Skipping writing out my port forwarding and double NAT - assumed knowledge. The purpose is to bypass WiFi sign-in pages since a majority don’t block external DNS lookups.
Running OpenVPN as a package on pfsense with two instances: one listening on good old 1194 udp (WAN), and another on 53 udp (virtual IP on WAN).
So traffic would be android > WEB > USG > pfSense > VIP > OpenVPN when trying to use port 53.
The problem I’m having with this method is it fails several times to connect and eventually does but with really bad packet loss. I see TLS and handshake errors throughout the log.
When trying this over the 1194, it works great and without any problems. I’ve even switched it from listening on a VIP to the WAN directly so there was no double NAT.
Bypassing the USG and connecting over port 53, it works great. Only when I forward OpenVPN through port 53 on the USG do I have an issue. I suspect the USG’s firewall is dropping what it thinks is “bad” packets. Under the firewall I see it is set to drop bad states, but given this is a UDP stream I’m really confused what’s going on. IPS/IDS is off, DPI is on.